Find Action/Change that lowered the 0365 Secure Score / securescore

%3CLINGO-SUB%20id%3D%22lingo-sub-283944%22%20slang%3D%22en-US%22%3EFind%20Action%2FChange%20that%20lowered%20the%200365%20Secure%20Score%20%2F%20securescore%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283944%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20pulling%20the%20SecureScore%20via%20API%20to%20a%20SIEM%20and%20created%20an%20alert%20when%20the%20SecureScore%20is%20decreased%2C%20we%20now%20would%20like%20to%20find%20out%20the%20action%20or%20change%20that%20was%20performed%20which%20caused%20the%20SecureScore%20to%20be%20lowered.%20Any%20hints%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20instance%20our%20AdoptedODB%20score%26nbsp%3B%20gone%20from%2010%20to%200%20over%20night%3C%2FP%3E%3CP%3E-%20Did%20not%20find%20a%20mapping%20table%20but%20take%20the%20JSON%20value%20of%20AdoptedODB%20%3D%20%22Store%20user%20Documents%20in%20OneDrive%20for%20Business%22.%20Thus%20this%20likely%20means%20%22disabled%20OneDrive%20for%20Business%22%3C%2FP%3E%3CP%3E-%20Via%20the%20%22Audit%20Log%20Search%22%20in%20the%20Security%26amp%3BCompliance%20do%20not%20see%20enable%2Fdisable%20ODB%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi there

 

We are pulling the SecureScore via API to a SIEM and created an alert when the SecureScore is decreased, we now would like to find out the action or change that was performed which caused the SecureScore to be lowered. Any hints?

 

For instance our AdoptedODB score  gone from 10 to 0 over night

- Did not find a mapping table but take the JSON value of AdoptedODB = "Store user Documents in OneDrive for Business". Thus this likely means "disabled OneDrive for Business"

- Via the "Audit Log Search" in the Security&Compliance do not see enable/disable ODB

0 Replies